How can I use icacls to acheive the same deny results as with the

  • Thread starter Thread starter Pelle Plutt
  • Start date Start date
P

Pelle Plutt

I have been trying to use icacls to automate setting an deny write+delete for
Everyone to avoid modifying a "gold master" folder.
Unfortunately I have been unable to get it to work.
Here's what I did:
I created one folder xxx and another yyy.
Using the Security tab of the Properties dialog for xxx, I added an entry
for everyone and checked deny for
* Create files / write data
* Create folders / append data
* Write attributes
* Write extented attributes
* Delete subfolders and files
* Delete

This now works fine - I can browse into the xxx folder, list files but not
change or delete stuff.

Using icacls to list the ACL this comes out as:

Everyone:(OI)(CI)(DENY)(W,D,DC)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

So then i used icacls on the yyy folder:
icacls yyy /deny everyone:(OI)(CI)(W,D,DC)

The folder security properties (GUI) look exactly like the one for xxx.
icacls also reports back the exact same list.
However: It does not work. I cannot open the folder in Explorer or CD into
the folder on the command line. I have lost my read/list rights.

So: there is something fishy with the GUI and icacls because if I use the
old cacls I get an additional piece of information that I don't know how to
interpret:

xxx Everyone:(OI)(CI)(DENY)(special access:)
DELETE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES

yyy Everyone:(OI)(CI)(DENY)(special access:)
DELETE
SYNCHRONIZE
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_WRITE_ATTRIBUTES

A-ha! Where did that deny: synchronize come from? Is that my problem? How do
I get rid of it?

Unfortunately I cannot use the old cacls as it has no deny mode to deny some
partical rights for a user.

Help.

/Per
 
Additional info:
Using icacls /save and viewing the "dump files", the difference between the
folders come out like this:

xxx
D:AI(D;OICI;DCLCRPDTCRSD;;;WD)(A;...
- the rest of the data is the same as for yyy

yyy
D:AI(D;OICI;0x110156;;;WD)(A;...
 
Back
Top